openclaw v2026.6.6-beta.1 release notes: what's new & changelog

OpenClaw v2026.6.6-beta.1 delivers tighter security boundaries, expanded LLM provider capabilities, and significant performance optimizations for the Control UI and TUI.

Key Changes

Security Hardening

Security boundaries have been substantially tightened across multiple vectors to prevent unauthorized access and execution:

• Host Environment Protection: The host exec sanitizer now blocks request-scoped Rustup environment overrides (e.g., RUSTUP_HOME, RUSTUP_TOOLCHAIN) and expands the unsafe host environment denylist to reject interpreter startup and search-path variables like BASHOPTS and FPATH (#91615, #91618).
• Git Protocol Security: Request-scoped Git protocol-control environment variables are now blocked to prevent loosening Git transport policy (#91619).
• Sandbox Validation: Docker sandbox bind sources are now validated in both directions; any bind source covering a blocked descendant (such as /var/run) is rejected (#91741).
• Codex Sandbox Hardening: The Codex sandbox exec-server HTTP bridge now rejects private or internal HTTP targets and pins validated DNS results to avoid validation/connect drift (#91752).
• MCP Security: Stdio MCP server environment filtering is hardened to drop inherited config pivot variables (e.g., Ansible and Terraform config keys) while preserving explicit credential keys like GITHUB_TOKEN (#91751).
• Access Control: Discord moderation actions (timeout, kick, ban) and Microsoft Teams group management (addParticipant, removeParticipant, renameGroup) now require a trusted requester sender or admin authorization (#91745, #91746).
• Prompt Context Protection: Unauthorized Telegram DM text is now blocked from prompt context and conversation caches to prevent information leaks (#91478).

Provider and Model Expansions

• Claude Fable 5: Added support for Claude Fable 5 across direct Anthropic, Vertex, and Bedrock catalogs, including adaptive-thinking defaults and refusal handling (#91882).
• OpenRouter OAuth: OpenRouter is now a first-class choice in the CLI onboarding process, supporting PKCE OAuth login (#91830).
• Gemma 4 Reasoning: Reasoning content replay is now preserved for Gemma 4 models via openai-completions (vLLM, OpenRouter), fixing issues where tool-call quality degraded during multi-turn replay (#91696).
• OpenAI Realtime: Realtime voice now explicitly requires OpenAI Platform API-key credentials instead of OAuth bearer tokens (#91567).

Performance and UI Optimizations

• Control UI Latency: Startup and first-reply latency are reduced through cached model metadata, lazy slash-command loading, and the removal of the startup catalog wait (#91531, #91538, #91598). New server timing phases now trace the first assistant event to split latency between the gateway and browser paint (#91568).
• TUI Improvements: The TUI footer now displays the connection hostname for URL-backed Gateway connections (#89909). Local runtime plugins are prewarmed during history loading to eliminate freezes on the first message submission (#90782).
• iOS/iPadOS Surfaces: The iPad and iPhone control surfaces have been overhauled with a macOS-aligned sidebar/navigation model, including connected surfaces for Workboard and Skill Workshop (#91557).

Core Fixes and Reliability

• iMessage Reliability: Inbound recovery now uses persistent claimable GUID deduplication and a startup rowid cursor to recover messages missed during downtime automatically (#91335). Outbound transport is hardened with a new sendTransport configuration (auto, bridge, or applescript) and separate RPC clients for replies to prevent wedged watch subscriptions from blocking sends (#91783).
• Telegram Delivery: Streamed answer blocks are now preserved across tool-call boundaries, preventing intermediate findings from disappearing (#88682). The native /compact command now bypasses the dispatch pipeline for immediate acknowledgement (#89588).
• Codex Session Management: Budget auto-compaction now prioritizes the owning context engine over the Codex native path to prevent short-circuiting (#91590).
• Memory Core: Local GGUF embeddings are moved to a dedicated @openclaw/llama-cpp-provider plugin to ensure native dependency stability during updates (#91324). OpenAI memory embedding now supports source-wide batching across multiple files (#89138).

Impact

Breaking Changes

• Exec Approval Timeouts: Unanswered exec approval requests now deny by default after the configured timeout. Users who require auto-approval must explicitly configure askFallback (#99938).
• OpenAI Realtime Auth: OAuth-only setups for OpenAI Realtime voice are no longer supported; a Platform API key is now required (#91567).
• Local Memory Providers: Users of local memory embeddings must run openclaw doctor --fix to install the new @openclaw/llama-cpp-provider plugin (#91324).
• Compaction Timeouts: The default compaction safety timeout is lowered from 900s to 180s. Sessions requiring more than 3 minutes for compaction should explicitly set agents.defaults.compaction.timeoutSeconds (#91361).

User Experience

• Android Stability: Persistent Android nodes no longer crash due to dataSync foreground service budget exhaustion on Android 15, as they now use the connectedDevice type (#80082).
• WhatsApp Recovery: Captured replies now route through successor controllers after a restart, fixing a bug where agents silently failed to reply after transient disconnects (#85823).
• Feishu Reliability: Bounded retries are now implemented for Feishu send-time rate-limit errors (HTTP 429, codes 11232 and 230020) (#89659).

FAQ

What's new in v2026.6.6-beta.1?

This release introduces tighter security for host environments and sandboxes, support for Claude Fable 5 and OpenRouter OAuth, and reduced latency for the Control UI and TUI.

Are there any breaking changes?

Yes. Exec approval timeouts now fail closed by default, OpenAI Realtime voice requires an API key instead of OAuth, and the default compaction timeout is reduced to 180 seconds.

How do I upgrade?

Users can upgrade via the standard update path. Those using local memory embeddings should run openclaw doctor --fix to install the new llama-cpp provider plugin.